Wireless access point

From DD-WRT Wiki

(Redirected from Wap)
Jump to: navigation, search

You are here: DD-WRT wiki mainpage / Linking Routers / Wireless Access Point


[edit] Introduction

This was tested with Broadcom (Linksys wrt54gl1.1 & Buffalo whr-hp-g54).

If you have a large network, for which DD-WRT is not a suitable core router you will probably want to have wireless clients be a part of the larger network. In this case, clients would get DHCP configuration from some other DHCP server, and could be accessed by other clients on the network.

Linking routers by ethernet cables does not require dd-wrt on any router. All routers can be linked by ethernet cable and it will work. However, some more advanced settings are available in dd-wrt.

As an example, some colleges that still allow students to have their own wireless access points (WAPs) require that the WAPs not hand out private IP addresses (as many routers with DHCP/NAT do by default) because it makes it difficult to track down which client is causing problems (eg. virus infections, worms, etc.)

Typically, vendors such as Linksys charge more for devices which work as standalone WAPs because routers are typically used by home users and WAPs are more popular for businesses. With DD-WRT you can buy a device marketed as a router and use it as a WAP.

If you want a secondary router to be on a separate subnet from the primary, all you have to do is do a hard reset on your router. Set the router IP to on the basic setup page. Set security and ssid on the wireless tab. Hit save before changing pages and hit apply when you are done. Plug the Lan cable from your primary to the WAN of the second router. You are done. If you want it on the same subnet, so all computers on your network can access each other, follow the instructions below:

[edit] Installation

[edit] Simple Version

  • Disable DHCP
  • Connect a LAN port to the main network / to the main Router's LAN port

Now you have an AccesPoint only setup, where clients are served IP details from your main network or main Router.

[edit] Short Version

Do a hard reset on the second router.

[edit] Short Version for Same Subnet

If you want to connect two routers with an ethernet cable, so that all devices connected to either of them can communicate with each other, plug an ethernet cable into the LAN (Not WAN) port of each router, set the IP to the second router to the same LAN IP address as the first router PLUS ONE (eg., disable dhcp on the second router, and set it to a different channel as the first.

[edit] Long Version for Same Subnet

If you want to connect two routers with an ethernet cable so that the clients on one router are isolated from those on the other you need to use IP table rules to do this fully. However, you can do rudimentary isolation by plugging the ethernet cable from the first router's LAN port to the second router's WAN port, set the IP of the second router to a DIFFERENT Subnet, (eg - Plus one to third octet if using as subnet mask) and leave dhcp enabled on the second router.

If you wish to be able to access your secondary router from devices on your primary LAN, enable Web GUI management in the Remote Access section of the Administration/Management page. You should then be able to access the secondary router by typing in its WAN IP. Setting up a static lease for the second router's WAN interface in Services on the first router will allow you to always know where is the second one to access it. This is the usual router/gateway mode, which is NOT the main goal of this WiKi.

Now let's see how to do for an access point so that its wireless clients and wired connected devices are in the same subnet as the main router:

[edit] Long Version

Here's how to create a Wireless Access Point using dd-wrt v24. Please pay special attention to the Review section of this article, especially if you are using an older version.

  1. Hard reset or 30/30/30 the router to dd-wrt default settings
  2. Connect to the router @
    • Note: If this router is wired to another router, there may be conflicts (both routers could have the same IP address). For the time being, disconnect this router from the main one.
  3. Open the Setup -> Basic Setup tab
    • WAN Connection Type : Disabled
    • Local IP Address: (i.e. different from primary router and out of primary router's DHCP pool)
    • Subnet Mask: (i.e. same as primary router)
    • DHCP Server: Disable (also uncheck DNSmasq options)
    • (Recommended) Gateway/Local DNS: IP address of primary router (many things will fail without this as your router will not be able to access the internet or another network without it)
    • (Optional) Assign WAN Port to Switch (visible only with WAN Connection Type set to disabled): Enable this if you want to use WAN port as a switch port
    • (Optional) NTP Client: Enable/Disable (if Enabled, specify Gateway/Local DNS above) Help
    • Save
  4. Open the Setup -> Advanced Routing tab
    • (Optional) Change operating mode to: Router
    • Save
  5. Open the Wireless -> Basic Settings tab
    • Wireless Network Name (SSID): YourNetworkNameHere
    • (Optional) Sensitivity Range: The max distance (in meters) to clients x2
    • Save
  6. Open the Wireless -> Wireless Security tab
    • Note: Security is optional, but recommended! Clients must support whatever mode you select here.
    • (Recommended) Security Mode: WPA2
    • (Recommended) WPA Algorithm: AES
    • (Recommended) WPA Shared Key: >8 characters
    • Save
  7. Open the Services -> Services tab
    • (Optional) DNSMasq: Disable (enable if you use additional DNSMasq settings)
    • (Optional) ttraff Daemon: Disable
    • Save
  8. Open the Security -> Firewall tab
    • Uncheck all boxes except Filter Multicast
    • Save
    • Disable SPI firewall
    • Save
  9. Open the Administration -> Management tab
    • (Recommended) Info Site Password Protection: Enable
    • (Recommended) Routing: Disabled (enable if you need to route between interfaces)
    • Apply Settings and connect Ethernet cable to main router via LAN-to-LAN uplink*
    • Reboot router to be sure all settings have been applied.
    • You may have to reboot your own PC or do "ipconfig /release" + "ipconfig /renew" from the Windows command line.

  • Notes:
    1. To connect the WAP to the main router, you can probably use either a patch cable, straight-thru, or a crossover cable. Most DD-WRT capable devices can do auto-sensing so the cable type doesn't usually matter.
    2. You can connect the WAP to the main router via LAN-to-WAN so long as you have assigned the WAN port to switch (see step 3).

[edit] Review

There were three basic configuration changes you made to set up your router as a wireless access point.

[edit] Turn Off DHCP

If you did not turn off DHCP, when you plug your router into the network (after configuration), your WAP may provide IP addresses to clients on the wired network, and this may be inappropriate. Tracking down problems caused by multiple DHCP servers can be time-consuming and difficult.

Because its so important, it is worth repeating: Turn off DHCP before you continue!

[edit] Set the IP address of the LAN Interface

Immediately after turning off DHCP, while your PC still has the IP address the WAP gave you, set the LAN interface of the WAP to the IP address you want it to use, eg. if host router is, give WAP an IP of Alternatively, you can use the instructions below to set the WAPs IP address via DHCP.

If you cannot connect to the WAP in order to set the LAN interface's IP address, it is probably because your computer no longer has an IP address on the same subnet. To get past this issue, simply set your computer's IP address and subnet to and respectively. (This assumes you are still using the default settings. If not, change the IP address and subnet as appropriate) You should now be able to point your browser at (again assuming default settings).

[edit] LAN Uplink

There are two ways to connect your WAP to the LAN. You can either Uplink through one of the router's LAN ports, or use the WAN port that is normally connected to the cable/DSL modem.

[edit] LAN Uplink Through LAN Port

To complete the link between the two routers, connect a LAN port on the central router, to a LAN port on Linksys router (to be used as your WAP). You may need a crossover cable to do this, although many modern routers have an automatic polarity sensing. To test this, connect a standard ethernet cable between the two routers. If the LAN light comes on, the router has automatically switched the polarity and a crossover cable is not required.

[edit] LAN Uplink Through WAN Port

If you use your DD-WRT router as a WAP only, you may use your DD-WRT router's WAN port to connect it to your existing LAN. To do this, you need to disable the Internet Connection and "Assign WAN Port to Switch".

Normally, the router does Layer 3 IP routing. but by "Assigning WAN Port to Switch," your DD-WRT router will bypass that functionality and just pass on the Layer 2 ethernet packets from your wired network to the wireless network and vice versa.

Alternatively, if you have a router that supports assigning the WAN port to the switch:
Setup -> Basic Setup -> Internet Connection Type -> Connection Type = Disabled
Setup -> Basic Setup -> Network Setup -> WAN Port -> Assign WAN Port to Switch
you can connect the WAN port as your uplink to your main router. All this really buys you is an extra port (4 available instead of 3), but why not?

[edit] Roaming access

If you are installing additional Access Points to cover a broader area with Wi-Fi access, it is possible to allow clients to roam freely between them. The common method is to use the same SSID and Security settings on each access point. The clients control when to switch in between APs. Most clients will switch when they see a more powerful AP available but some client radios are not able to listen for a new AP when connected to an existing AP and as a result those clients will not roam to the new AP until they completely lose signal from the old one. A typical roaming transition from one AP to the other takes about 50ms if using simple authentication (open or WPA2 PSK AES)

Use a different channel on each AP. e.g. if you are in the US and installed two access points, use channels #1 and #11. Or if three access points, then use channels #1, #6, and #11 (setting the channels at least 5 apart should help keep interference between APs to a minimum). If you have a residential gateway with wireless turned on, and just one AP, then the same applies: each gets a different channel. If you are in Europe, use channels 1, 5, 9 & 13.

When using multiple Access Points, each one should be connected by LAN to LAN uplink as described above. They can even be attached to different switches within the same organization.

Access Point placements need to be carefully done. If the AP's are too far away then there will be holes in the coverage and the clients will drop off when going from one AP to the other. If the AP's are too close then clients will "stick" to one AP while moving out of it's region and into another's. If the AP's are too close and moving them further apart is not practical then the transmit power on each AP can be reduced.

You can also try setting the APs to use the same channel. This will halve bandwidth when both APs are talking to clients but it may help clients that have problems sticking to one AP.

It can also be helpful to disable the slower 802.11 transfer rates with the Wl_command#rateset command for example:

wl down
sleep 5
wl rateset 18b 24 36 48 54
wl up

This sets the minimum access to 18Mbt and clients will drop off as the signal level falls below what's needed to support this.

There are additional considerations with roaming using wireless VoIP gear, and WPA Enterprise modes. These environments require additional authentication from the client that could exceed the TCP/IP TTL and cause a disconnection of a higher level application such as the VoIP client. Because of that the IEEE 802.11r-2008 protocol was developed AKA Fast Transition (FT). dd-wrt does not currently support 802.11r FT but there is support for it in OpenWRT. The wireless client must also support Fast Roaming for this protocol for it to work, typically this will be cell phones that support it.

[edit] How To Use DHCP to Set the WAP's IP Address

Note: This step is optional. Having the WAP's IP address set by a DHCP server is not required. It can be made static, as shown above.

Note also that the steps below assume a DHCP server is running outside this dd-wrt wap box on the LAN (e.g. in the FAI dsl box/gateway), so, keep this internal dd-wrt WAP dhcp server disabled as stated above, as well as all other settings.

It is not possible to set the LAN interface to get its IP address via DHCP using the web configuration interface. You can, however, set your startup script to obtain an IP address.

Simply set your IP address to (starting dhcp client):

[ ! -e /tmp/udhcpc ] && ln -s /sbin/rc /tmp/udhcpc
udhcpc -i br0 -p /var/run/udhcpc.pid -s /tmp/udhcpc -H test-wrt-wireless
hostname `nslookup \`ifconfig br0 | grep 'inet addr' |cut -f 2 -d ':'\` | grep 'Name:' | awk '{print $2;}' | cut -f 1 -d '.'`
if test `hostname` != `nvram get wan_hostname`; then 
     nvram set wan_hostname=`hostname`;
     nvram set router_name=`hostname`;
     nvram commit;

Only the two first lines are required if you don't want your WAP to set its name based on the IP address it gets. However, if you want to save a configuration file which will apply to several WAPs, that can be a handy feature.

EDIT 2013/09/19: If you leave the "Local DNS" GUI field to, then the WAP will use the DNS supplied by dhcp. To be functional, this requires the "Gateway" is set too. So, you also wish the gateway to be assigned by dhcp too. You do it appending

route add default gw `nvram get wan_gateway`

after the udhcpc command in the script. You will leave the unused Basic/Network Setup/"Gateway" GUI field to, or, to get a GUI feedback of the currently assigned wan_gateway nvram value, have this field filled by the value of the nvram lan_gateway value by setting this last the same way as the one bellow for wds_watchdog_ips.

Then you may want the optional WDS/Connection Watchdog ping the gateway it just got from dhcp: just enable the watchdog in the GUI, set the wanted delay to have the WAP monitor the connection to the gateway, leave the IPs field blank, append the following 4 lines after the route add ... command above, so that they will fill it for you and the watchdog will help your WAP to follow any change of the gateway IP address (as long as the previous gateway IP is no more used. You can workaround the case when the previous IP is reused for another purpose with a reboot on URL ping failure custom script plus the cron job that triggers it in the GUI Management tab, but if the gateway looses its WAN connection, the WAP's wireless clients may loose their wireless connection at the same rhythm the WAP reboots. To prevent this, think to ping both external(s) URL(s) and internal IP(s) and make the custom script to reboot the WAP when all pings fail - this will preserve internal connections in the case the Internet is lost at the gateway WAN side).

The if tests below are just here to preserve the nvram service life with no rewrite when not needed on boot. Even the WAP's ip will survive over reboots thanks to a static lease - this applies to other scripts.

GW=`route -n|grep UG|awk '{print $2;}'`
if [ "`nvram get wds_watchdog_ips`" != "$GW" ]; then
nvram set wds_watchdog_ips="$GW"
nvram commit

Once you have manually set the router & hostname name fields, the dhcp startup script you should set the startup script this way:

[ ! -e /tmp/udhcpc ] && ln -s /sbin/rc /tmp/udhcpc
udhcpc -i br0 -p /var/run/udhcpc.pid -s /tmp/udhcpc -H `nvram get wan_hostname`
route add default gw `nvram get wan_gateway`
GW=`route -n|grep UG|awk '{print $2;}'`
IP_LAN=`ifconfig br0 | grep inet | cut -d: -f2 | cut -d' ' -f1`
MSK=`ifconfig br0 | grep inet | cut -d: -f4`
if [ "`nvram get lan_ipaddr`" != "$IP_LAN" ]; then nvram set lan_ipaddr="$IP_LAN"; NC=1; fi
if [ "`nvram get lan_netmask`" != "$MSK" ]; then nvram set lan_netmask="$MSK"; NC=1; fi
if [ "`nvram get lan_gateway`" != "$GW" ]; then nvram set lan_gateway="$GW"; NC=1; fi
if [ "`nvram get wds_watchdog_ips`" != "$GW" ]; then nvram set wds_watchdog_ips="$GW"; NC=1; fi
if [ "$NC" = 1 ]; then nvram commit; reboot; fi

The whole ip/mask/gateway will show correctly in the Settings web GUI page.


[edit] Related wiki links

Secure remote management for a WAP